@RISK Newsletter for June 06, 2013

The consensus security vulnerability alert.

Vol. 13, Num. 23

This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.

CONTENTS:

TOP VULNERABILITY THIS WEEK: Google researcher Tavis Ormandy provided

exploit code for an unpatched local kernel vulnerability in Windows thisweek, after having first published details on the Full-Disclosuremailing list in mid-May. The release coincides with Google’s shift fromgiving vendors 60 days on actively exploited vulnerabilities to 7 daysbefore Google will release details.

NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Google Shifts Policy, Will Release 0-days After A Week; Researcher Provides 0-day PoCDescription: In a major policy announcement made last week, Googlestated that it will publicly disclose details of new vulnerabilities inother vendors’ products 7 days after discovery, if those issues arebeing actively exploited in the wild. This is a major shift from itsprevious policy of giving vendors 60 days before disclosure. Whileacknowledging that this new policy may be too short of a time frame forvendors to develop a patch, Google stated that vendors should at leastmake users aware of the situation and offer any possible mitigationswhile a patch is being developed. Meanwhile, Google researcher TavisOrmandy has released exploit code for a local kernel vulnerability inWindows ahead of a patch by Microsoft, after having released initialdetails in mid-May. Microsoft claims that no active exploitation wastaking place prior to the release of the exploit code, although it islikely that will change in the face of publicly available PoC.Reference:http://googleonlinesecurity.blogspot.ch/2013/05/disclosure-timeline-for-vulnerabilities.htmlhttp://seclists.org/fulldisclosure/2013/May/91http://seclists.org/fulldisclosure/2013/Jun/5Snort SID: N/AClamAV: N/A

Title: RFI Botnet Compromising WordPress, Joomla Sites WorldwideDescription: Researchers at the Deep End Research group released anin-depth report this week on a major botnet that has been responsiblefor compromising hundreds of thousands of WordPress and Joomla web sitesacross the planet over the past year. The report, which is designed toraise awareness among administrators of these notoriously vulnerable webservices, corresponds to attack techniques seen by Sourcefire sinceSeptember of 2011. System administrators are urged to check theirsystems for signs of compromise by this botnet, and to ensure that theirsystems have all of the latest available security patches andrecommended settings applied.Reference:http://www.deependresearch.org/2013/05/under-this-rock-vulnerable.htmlSnort SID: 26813ClamAV: Trojan.Dapato-*

Title: German Torrent Contains Source For 309 BotsDescription: The authors of the well-respected “Malware Must Die” blogthis week published information on a huge dump of botnet source codethey discovered on a German torrent, which has since been shut down.While most of the source is several years old, it provides valuableinsight into multiple important families of malware, including Zeus,Skype-based bots, SDbot, and others. The source code is being sharedwith security researchers, and should provide useful information fornetwork defenders worldwide.Reference:http://malwaremustdie.blogspot.com/2013/06/full-disclosure-of-309-botbotnet-source.html?spref=twSnort SID: VariousClamAV: Various

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits areavailable. System administrators can use this list to help inprioritization of their remediation activities. The Qualys VulnerabilityResearch Team compiles this information based on various exploitframeworks, exploit databases, exploit kits and monitoring of internetactivity.